Blogs

    Publish
     
      • A Message To Our CA Customers

        Oct 20 2017, 8:22 PM

        by Roxane Divol 3

        In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers.  The text of our most recent customer communication is below:

        ******************************************

        On March 23, Google posted a blog on a public forum outlining a set of proposals targeted at Symantec SSL/TLS certificates. This was unexpected, and I wanted to reach out to explain what this proposal means for Symantec customers and how we will respond to Google’s proposal, if implemented, in order to ensure business continuity for you. I also want to address Google’s claims about Symantec’s certificate issuance processes and reaffirm our continued commitment to transparency of our practices as a public certificate authority.

        First and foremost, I want to reassure you that you can continue to trust Symantec SSL/TLS certificates. Google has outlined proposals, not actions. We object to its proposals and intend to engage with Google to work through its concerns.

        To be specific, the key terms of Google’s proposal are as follows:

        1. Over time, Symantec would need to revalidate and reissue previously issued certificates

        2. Maximum validity of newly issued Symantec Certificates would be reduced to 9 months

        3. Extended Validation (EV) treatment of Symantec certificates would be removed for at least one year

        In the event Google implements its proposal, Symantec will ensure your websites, webservers or web applications continue to work across browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period. In addition, Google’s proposal requires shorter validity certificates, which we would support. We anticipate Google may attempt to impose this shorter validity period on the entire industry, as they have previously tried to do so through an initiative at the CA/Browser forum that was voted down. Shorter certificate validity periods increase customer expense, which we are working to reduce by making considerable investments in automation. We would work with our customers to provide tools to manage any validity period changes that Google might unilaterally impose.

        Finally, while Google and Chrome have long been working to remove special treatment for EV certificates in general, other browsers continue to recognize it. We will continue to work with Google and other members of the CA/Browser forum on security best practices for the industry. Our customers get value from the extensive validation on our EV certificates, and derive meaningful results from them. Our brand is powerful: our certificates secure more than 80% of ecommerce revenue and our Norton Shopping Guarantee on average increases ecommerce revenue by more than 5%.

        We are proud to be one of the world’s leading certificate authorities. We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet.  Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.  Symantec has also been a champion of Certification Authority Authorization (CAA), and asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA.  Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

        Google’s blog statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event referred to by Google, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed. 

        We do not believe Google’s proposal is in the best interest of the Internet community. We are working to resolve the situation with Google in the shared interests of our joint customers and partners.

        In closing, we take certificate issuance very seriously. The events that prompted Google to propose these changes have been addressed with the utmost transparency. We are working hard to ensure that this proposal does not create disruption for you. Please let me know if you would like to schedule a call.

        Best Regards,
        Roxane Divol

        Executive Vice President & GM, Symantec Website Security

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • Symantec Backs Its CA

        Oct 20 2017, 8:21 PM

        by connect 8

        At Symantec, we are proud to be one of the world’s leading certificate authorities. We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.  

        Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading.  For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed. 

        While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.    

        We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet.  Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.  Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA.  Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites. 

        We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates.  Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post.  

        We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • Website Identity- The Key to Safety in E-Commerce

        Oct 20 2017, 9:17 PM

        by Dean Coclin 0

        Website identity is important for user safety. While encryption is important, knowing who you are encrypting to is paramount when conducting online transactions. While many users can identify the green bar/lettering associated with an Extended Validation (EV) certificate, recent user interface (UI) changes by browsers make it more difficult to differentiate these certificates from low value, domain validated certificates. This makes it a challenge to figure out the true owner of the website.


        For example, Chrome recently changed the certificate UI for Domain Validated (DV) certificates to show a green padlock. With an increase of DV certificates used by fraudsters for phishing (see: http://toolbar.netcraft.com/stats/certificate_authorities), it is becoming more and more difficult for users to determine if a site is legitimate. DV certificates don’t identify the entity behind the website. You just know you are connected to www.example.com. There is no ownership information vetted about example.com. Organizationally Validated (OV) and EV certificates provide ownership information allowing a user to know who the site belongs to. But unfortunately, browsers do not distinguish sites with these types of certificates.

        This chart from the CA Security Council (CASC) shows the confusing UIs that are in current browsers: https://casecurity.org/browser-ui-security-indicators/. It’s no wonder that users have trouble understanding the differences in the various certificates. And they are constantly changing.  

        A proposal from the CASC for a common, easy to understand, user display for website identity is shown below:

        Image.png

        The members of the CASC which include the 7 largest SSL issuers in the world, are endorsing a paper on Website Identity Principles, which was presented at the RSA Conference on February 15, 2017. There are three main principles that summarize the intent of this paper:

        1.  Website identity is important for user safety.

        2. Different TLS certificate types that are used to secure websites – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) certificates – should each receive a separate, clearly-defined browser UI security indicator to tell users when a website’s identity has been independently confirmed.

        3.  Browsers should adopt a common set of browser UI security indicators for different certificate types, and should educate users on the differences among these indicators for user safety.

        More information on these principles is available on the CASC website (https://casecurity.org/identity/).

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security